Tag Archives: FOI

Mostly because I haven’t posted much on this blog recently, I’m uploading a version of a talk I gave at the recent conference of the National Police Chiefs Council (NPCC). I was asked to talk, alongside FOIKid Bilal Ghafoor, and tribunal judge David Farrer QC, about what the teenage years of the Freedom of Information Act 2000 might look like. After I’d reflected on this, I ended up rather more optimistic than I expected. YMMV, as they say.

Before I talk about the future, and FOI as it enters those awkward teenage years, I wanted to reflect a bit on its early infanthood. Has it achieved what it was hoped it would achieve? Has it worked well?

As is sometimes overlooked, Parliament declined to enact a purpose clause into the 2000 Freedom of Information Act (against the urging of the then Information Commissioner Elizabeth France). So when we talk about whether FOIA has achieved its aims, we are, to an extent, second guessing what Parliament intended. However, in 2012 the Justice Committee conducted post-legislative scrutiny of FOIA, and the Ministry of Justice (drawing on the original White Paper which preceded the Act) identified four objectives for it:

openness and transparency;

accountability;

better decision making;

and public involvement in decision making, including increased public trust in decision making by government

And the committee felt that FOIA has achieved the first three but the secondary objective of enhancing public confidence in Government had not been achieved, and was unlikely to be achieved.

And I think this is broadly right: we have seen more openness and transparency – when working well together FOIA feeds into the Transparency Agenda and vice versa. Huge amounts of public sector information have been made available where once it wasn’t. And with openness and transparency come, or should come more accountability and better decision making. But that final objective, involving increasing public trust in decision making, has almost been achieved in the negative – and that is partly to do with how the public hear about FOIA. Many, probably most, major FOIA stories run by the media almost inevitably involve scandal or highlight wasteful practice, and often go hand in hand with litigation aimed at preventing disclosure. The MPs expenses scandal was one of FOIA’s major victories (although, let us not forget, it was a leak to the Telegraph, rather than a final FOIA disclosure, that led to the full details coming out) but while it enhanced FOIA’s status, it’s hard to say it did anything but greatly damage public trust in government, and more widely, politicians.

But the Justice Committee report identified something else, and something very relevant when we start to look to the future of FOIA. It stated that “the right to access public sector information is an important constitutional right” – something which Lady Justice Arden also recognised in her recent Court of Appeal judgment in the Dransfield case. And when something is identified as part of our constitution, it becomes pretty hard to remove it, or amend it to any great extent. The Conservative government appear to be experiencing this at the moment, as their plans to repeal the Human Rights Act have been stalled. The Human Rights Act can also be said to have achieved constitutional status – by incorporating the European Convention on Human Rights into the domestic law of the UK, it represented a major shift in how individual rights are protected under British law. It may well end up being the case that the only way the Act could be repealed would be by replacing it with something essentially the same (or by pulling out of the Convention, and pulling out of Europe) and even then, as Lord Bingham said

“Which of these rights…would we wish to discard? Are any of them trivial, superfluous, unnecessary? Are any them un-British?”

The rights enshrined in the European Convention are fundamental, and they’re not going to go away, and when one considers that one of them – Article 10 – contains not just the right to freedom of expression, but the right to receive and impart information (subject to necessary and lawful conditions) one can begin to perceive that a Freedom of Information Act helps give effect to this fundamental right.

A majority of the Supreme Court, in the Kennedy judgment last year, went even further, and said that a (qualified) right to receive information from a public authority was not just enshrined in the Convention Rights, but existed (and always has existed) under the Common Law.

What I’m saying, by going off on a somewhat legalistic tangent, is that the right to request and receive public sector information is so fundamentally embedded in our legal and constitutional landscape, that I don’t see any realistic challenge to the principle (and I doubt any of you would). But it also means that any tinkering with the right becomes correspondingly difficult. And this is why although I think FOI will have some teenage tantrums, it won’t have a huge teenage meltdown and emerge from its bedroom a completely different individual.

But with that important caveat, what might we see?

Well, under Francis Maude in the Cabinet Office and Chris Grayling at the Ministry of Justice (although Lib Dem Simon Hughes had the actual FOI brief) we saw significant strides, and a lot of fine words, about the importance of transparency, with Maude even saying in 2012

“I’d like to make Freedom of Information redundant, by pushing out so much data that people won’t have to ask for it”

But they have all gone on to other things – Maude to the Lords, Grayling to Leader of the Commons and Simon Hughes back to his day job, after losing his seat last month. Will this lead to changes? Well, still very much in post is David Cameron, and he has spoken before about his concerns about FOI “furring up the arteries of government” and of FOI’s “buggeration factor”, which doesn’t bode well for those of us who support the Act. And minister with responsibility for FOI (under Michael Gove as Justice Secretary) is Dominic Raab. Raab is strong on civil liberties and is known to be a frequent user of FOI in his parliamentary and constituency work. One of his targets was the Police Federation – in 2011 he sent requests to all forces asking for figures on the number of police staff working full-time for the Federation. But Gove is reputed not to be so keen on FOI – indeed, in 2011 his then Department of Education was found to have used private email accounts to conduct government business, apparently in the belief that this took them outside FOIA.

It does seem clear that any changes to FOIA are not high on the government’s list of priorities: there was nothing in the Conservatives’ election manifesto, and there have been no obvious pronouncements in the early days.

For a flavour though of what might be on the cards it’s instructive to go back to the government response to the post-legislative scrutiny. On the subject of FOI cost limits there was a suggestion that further factors might be taken into account – so, added to the costs of locating and retrieving information it might become possible to take into account consideration and redaction time. This could have more profound effects that is immediately apparent – as most of you will know, those two activities can take up a large amount of time, and if that change were brought in I think we would see a huge increase in cost refusals.

Another related suggestion was that for costs purposes requests from the same person or group of persons could be aggregated EVEN where there was no similarity between the subject of the requests. It is not hard to see how this would be devastating for some journalists who make use of FOI.

And a further suggestion was the introduction of fees for appealing a case to the Information Tribunal. This would be unlikely to affect public authorities, but requesters could well be dissuaded. No doubt some of those would be the more speculative, persistent or frivolous of requesters, but I would be concerned that some well-intentioned requesters would decide not to exercise their rights if such a change were made.

On the more “pro-FOI” side, we are likely to see further public authorities made subject to FOIA. ACPO of course came in in 2012, Network Rail this year, and Theresa May has made clear that she would like to see the Police Federation covered.

But also discussions need to be had about the extent to which private contractors performing public functions are caught by FOI. The government has previously indicated that it thinks this can be achieved through appropriate contractual provisions, but I’m dubious – without a clear legal obligation, and associated enforcement mechanism, I struggle to see why this would happen.

So, despite my optimism that the fundamental principles of FOI are now constitutionally embedded, I don’t necessarily think there will be no changes. But I continue to think they will be essentially minor, and this is because I think there is a further factor which protects those fundamental principles. As I said, Dominic Raab has traditionally used FOI to gather information to better help him in his job. And thousands and thousands of other people do so. Journalists are the most obvious example (and when it comes to defenders of the right to receive information you couldn’t ask for a more vocal group) but campaign groups, other public authorities, academics and private citizens do so. And for this reason FOI is popular. Unlike the Human Rights Act there are no (or very few – I don’t know of any) journalists campaigning for FOIA’s repeal. Politicians don’t campaign on a platform of opposition to the right to receive public information.

FOI does promote better openness and transparency; better accountability; better decision making, and even if it hasn’t yet, and probably never will, improve the public trust in government decision-making, one thing which would further destroy that trust would be changes to make public authorities less accountable. And the media and campaigners would be lined up to make the point vociferously.

FOI may, in its teenage years, suffer from its own equivalent of angst, anger and acne, but it will have strong friends to support it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

Last week, in the Court of Appeal, the indefatigable, if rather hyperbolic, Mr Dransfield was trying to convince three judges that his request, made long ago, to Devon County Council, for information on Lightning Protection System test results relating to a pedestrian bridge at Exeter Chiefs Rugby Ground, was not vexatious. If he succeeds in overturning what was a thorough, and, I think, pretty unimpeachable ruling in the Upper Tribunal, then we may, at last, have some finality on how to interpret section 14(1) of the Freedom of Information Act 2000 (FOIA):

a public authority [is not obliged] to comply with a request for information if the request is vexatious

But what is certain is that the Court of Appeal will not hand down a ruling which would allow a public authority to feel able merely to state that a request is vexatious, and do nothing more to justify reliance on it. But that is what the Metropolitan Police appear to have done in an extraordinary response to FOIA requests from the Press Gazette. The latter has been engaging in a campaign to expose what it believes to be regular use of surveillance powers to monitor or investigate actions of journalists. This is both a serious subject and a worthy campaign. Investigative journalism, by definition, is likely to involve the making of enquiries, sometimes multiple ones, sometimes speculative, “to discover the truth and to identify lapses from it”. It is inevitable that an investigative journalist will from time to time need to make use of FOIA, and the Information Commissioner’s Office (ICO) advises that

[public] authorities must take care to differentiate between broad requests which rely upon pot luck to reveal something of interest and those where the requester is following a genuine line of enquiry

The ICO doesn’t (and couldn’t) say that a FOIA request from an investigative journalist could never be classed as vexatious, but I think the cases when that would happen would be exceptional. The Upper Tribunal ruling by Wikeley J that Mr Dransfield is seeking to overturn talked of “vexatious” as connoting

a manifestly unjustified, inappropriate or improper use of a formal procedure

and

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

although it was stressed that these were neither exhaustive, nor a “formulaic checklist”.

It is difficult to imagine that the motive of the Press Gazette journalists can be anything but well-intended, and similarly difficult to claim there is no value or serious purpose to the request, or the other requests which need to be considered for context. Nor has there been, as far as I am aware, any suggestion that the requests have caused Met staff any harassment or distress. So we are (while noting and acknowledging that we are not following a checklist) only likely to be talking about “the burden on the public authority and its staff”. It is true that some requests, although well-intentioned and of serious value, and made in polite terms, have been accepted either by the ICO or the First-tier Tribunal (FTT), as being so burdensome to comply with that (even before considering whether FOIA costs limits are engaged) they merit rejection on vexatiousness grounds. In 2012 the FTT upheld an appeal from the Independent Police Complaints Commission, saying that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12 [costs limits]

and last year the FTT similarly allowed a late submission by the Department of Education that a request from the journalist Laura McInerney for information about Free School applications was vexatious because of the burden it would impose:

There is no question here of anything in the tone of the request tending towards vexatiousness; nor does anyone doubt Ms McInerney’s genuine motives…There is value in openness and transparency in respect of departmental decision making. That value would be increased by the academic scrutiny which the disclosed material would receive…In our judgment, however, these important considerations are dwarfed by the burden which implementation of the request places on DFE.

But it does not appear that the request in question from the Press Gazette was likely to go any way towards being grossly oppressive, or to being a burden which would “dwarf” the other considerations.

Moreover, and it does not appear to have been a point argued in the DfE case, there is an argument, explored through a series of cases in the Court of Justice of the European Union, and, domestically, in the Supreme Court, in Kennedy v ICO and Charity Commission, that Article 10 of the European Convention on Human Rights, providing as it does in part a right “to receive and impart information and ideas without interference by public authority” (subject to limitations that are prescribed by law, necessary and proportionate, and pursue a legitimate aim) might sometimes need to read down into FOIA, particularly where a journalist is the requester. Although the Supreme Court, by a majority, and on the facts (specifically in the context of a FOIA absolute exemption), rejected the submission in Kennedy, the argument in the abstract still has some weight – someone engaging in investigative journalism is clearly generally acting as a “social watchdog”, and the likelihood that they are making a FOIA request with bad motives, or without serious purpose, or in a way likely to harass or cause distress is correspondingly low. It seems to me that, absent the sort of “excessive burden” argument explored in the IPCC and DfE cases – and, as I say, the Met don’t seem to have advanced any such argument – to label a request from an investigative journalist as vexatious is to stand at the top of a slippery slope. One hopes that the Met review and reverse this decision.

The Freedom of Information Act 2000 (FOIA) requires a public authority, when someone makes a request for information, to say whether or not it holds it, and if it does, to disclose that information to the requester (subject to the application of any exemption). But what if it doesn’t know whether it holds it or not? What if, after it has said it can’t find the information, and after the Information Commissioner’s Office (ICO) has accepted this and issued a decision notice upholding the authority’s approach, it then discovers it held it all along? This is the situation the First-tier Tribunal (FTT) recently found itself faced with.

The facts of the case are relatively complex, but the issues turned on whether briefing notes, prepared for the Mayor of Doncaster Metropolitan Borough Council (DMBC) in the lead-up to a decision to withdraw funding for DMBC’s United Nations Day, could be found. The ICO had determined, in Decision Notice FS50503811 that

Ultimately the Commissioner had to decide whether a set of briefing notes were held by the Council. His decision, on the balance of probabilities, is that it does not

The requester appealed to the FTT, which, after initially considering the matter on the papers, ordered an oral hearing because of some apparent inconsistencies in DMBC’s evidence (I have to be frank, what exactly these were is not really clear from the FTT’s judgment (at paragraph 27). However, prior to that oral hearing DMBC located the briefing notes in question, so

the focus of the oral hearing was limited simply to establishing whether, at the time of the information request by the Appellant, DMBC knew that it held the information in the light of the searches that it had made in response to the Information Commissioner’s enquiries prior to his issuing the Decision Notice

In determining that it was satisfied that DMBC did not know, at the time of the request, that it held the information, the FTT was swayed by the fact that DMBC “even during the Information Commissioner’s enquiries, DMBC had maintained it had nothing to gain from ‘hiding’ the briefing notes” but also by the fact that DMBC owned up to poor records management practice in the period leading up to the request

In many senses it is more embarrassing for DMBC now to admit the truth that it had, historically, an unreliable and ineffective Records Management system than to continue to maintain that it could not find the requested information

It doesn’t surprise me that the FTT found as it did. What does surprise me, however, is that records management is not given a greater focus by the ICO. Although FOIA is not, primarily, a records management act, it does contain provisions relating to records management. Powers do exist both to help improve practice both generally (through guidance) and specifically (through the use of practice recommendations). As I’ve written before

section 46 of FOIA [requires] the Lord Chancellor to issue a code of practice for management of records. Section 9 of that Code deals with the need to keep records in systems that enable records to be stored and retrieved as necessary, and section 10 with the need to know what records are held and where they are.

Under section 47 of FOIA the [ICO] must promote the following of good practice by public authorities and perform his functions so as to promote the observance by authorities of the section 46 Code, as well as the requirements of the Act in general. And under section 48 he may issue a “practice recommendation” if it appears to him that the authority has not conformed with the section 46 Code. In investigating compliance with the Code he has the power (section 51) to issue an “information notice” requiring the authority to furnish him with the information. Failure to comply with an information notice can, ultimately, constitute contempt of court.

I appreciate that the ICO has a lot on its hands, but good records management is so very integral not just to good FOIA compliance, but also to good compliance with the other major statute the ICO oversees – the Data Protection Act 1998. Greater focus on records management could drive better overall compliance with information rights law.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Yesterday, after attending a fascinating and in-depth briefing from Network Rail on their journey towards being subject to the Freedom of Information Act 2000, I was privileged to appear on a panel debating “In a world of Freedom of Information, does voluntary transparency still matter?” Although rather daunted by the illustrious fellow panel members – the Campaign for Freedom of Information‘s Maurice Frankel, the Guardian’s Jane Dudman and Sir Alex Allan KCB1 – I delivered a short address on the subject (as did those others). Perhaps unsurprisingly, the panel were unanimous in feeling that voluntary transparency does still matter in a world of FOI, but, just as importantly, that voluntary transparency does not and should not make FOI redundant. This is broadly what I said, with added hyperlinks:

A very wise man called Tim Turner once wrote: “The point of FOI is that you get to ask about what YOU want to know, not what The Nice Man Wants To Tell You”. And this I think is the key point which distinguishes the access rights afforded to individuals under Freedom of Information and related legislation, from the transparency agenda which has led to the UK government again this week being pronounced the most open and transparent in the world, by Tim Berners Lee’s World Wide Web Foundation.

At the same time as that first place was announced, cynics amongst us might have pointed to the fact that in the 2013 Global Right to Information Ratings compiled by Access Info and the Canadian Centre for Law and Democracy, the UK was in 29th place, behind countries like Kyrgyzstan and Sierra Leone.

There’s clearly a gap in perception there, and one that is not simply explained away by questions about methodology.

In 2012 Francis Maude said “I’d like to make Freedom of Information redundant, by pushing out so much data that people won’t have to ask for it”. While this is in some ways a laudable aim, it is simply never going to wash: there will always be some information which Mr Maude doesn’t want disclosed, but which I, or, you, or someone else, does (to illustrate this one only has to look at how regularly the Cabinet Office claims FOI exemptions and refuses to disclose).

By the same token Network Rail, who have disclosed an impressive amount of valuable data over recent years, would not, I am sure, pretend that they expect only ever to disclose information in response to FOI requests, when they come under the Act’s coverage in a few months. There will clearly be information which they will not be able to disclose (and for perfectly valid reasons).

The transparency agenda cannot simply sweep away concerns about disclosure of commercially sensitive information, or of personal data, or of information which might prejudice national security. But there will always be people who want this information, and there will always be the need for a legal framework to arbitrate disputes about disclosure, and particularly about whether the public interest favours disclosure or not.

And, as a brief aside, I think there’s an inherent risk in an aggressive, or, rather, enthusiastic, approach to publication under a transparency agenda – sometimes information which shouldn’t be published does get published. I have seen some nasty erroneous, and even deliberate, disclosures of personal data within Open Datasets. The framework of FOI should, in principle at least, provide a means of error-checking before disclosure.

When FOI was in its infancy we were assured that effective and robust publication schemes would ultimately reduce the amount of time spent dealing with FOI requests – “Point them to the publication scheme” we were told…While I am sure that, on some level, this did transpire, no one I have spoken to really feels that proactive publication via a publication scheme has led to a noticeable decrease in FOI requests. And I think the same applies with the Transparency Agenda – as much as Mr Maude would like to think it will make FOI redundant, it has, and will continue to have, only a minor effect on the (necessary) burden that FOI places on public authorities.

I do not think we are going to see either the Transparency Agenda dispense with FOI, nor FOI dispense with the Transparency Agenda: they are, if not two sides of the same coin, at least two different coins in the same purse. And we should always bear in mind that public scrutiny of public authorities is not just about what the Nice Man Wants To Tell You, but is equally about what the Nasty Man Doesn’t Want To Tell You.

1I’m delighted to see from his Wikipedia entry that Sir Alex is a huge Grateful Dead fan, and that further research suggests that this isn’t just Wikipedian inaccuracy

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

When Information Commissioner (IC) Christopher Graham speaks, people listen. And so they should: he is the statutory regulator of the Freedom of Information Act 2000 (FOIA) whose role is “to uphold information rights in the public interest”. A speech by Graham is likely be examined carefully, to see if it gives indications of future developments, and this is the reason I am slightly concerned by a particular section of his recent speech at an event in Scotland looking at ten years of the Scottish FOI Act.

The section in question dealt with his envy of his Scottish counterparts. They, he observed, have relatively greater resources, and the Scottish Information Commissioner, unlike him, has a constitutional status that bolsters her independence, but also he envied

the simple and straightforward appeals mechanism in the Scottish legislation. The Scottish Commissioner’s decision is final, subject only to an appeal to the Court of Session on a point of law.

By contrast, in England, Wales and Northern Ireland, under section 57 of FOIA, there is a right of appeal to a tribunal (the First-tier Tribunal (Information Rights)). Under section 58(2) the Tribunal may review any finding of fact by the IC – this means that the Tribunal is able to substitute its own view for that of the commissioner. In Scotland, by contrast, as Graham indicates, the commissioner’s decision is only able to be overturned if it was wrong as a matter of law.

Tribunals are intended to provide a simple, accessible system of justice where users can represent themselves

It is very much easier for a litigant to represent herself in the Information tribunal, than it would be in a court.

Clearly, the situation as it currently obtains in England, Wales and Northern Ireland – free right of appeal to a Tribunal which can take a merits view of the case – will lead to more appeals, but isn’t that rather the point? There should be a straightforward way of challenging the decisions of a regulator on access to information matters. Graham bemoans that he is “having to spend too much of my very limited resources on Tribunals and lawyers” but I could have more sympathy if it was the case that this was purely wasted expenditure – if the appeals made were futile and changed nothing – but the figures don’t bear this out. Graham says that this year there have been 179 appeals; I don’t know where his figures are from, but from a rough totting-up of the cases listed on the Tribunal’s website I calculated that there have been about 263 decisions promulgated this year, of which 42 were successful. So, very far from showing an appeal to be a futile exercise, these figures suggest that approximately 1 in 5 was successful (at least in the first instance). What is also notable though, is the small but significant number of consent orders – nine this year. A consent order will result where the parties no longer contest the proceedings, and agree on terms to conclude them. It is speculation on my part but I would be very interested to know how many of those nine orders resulted from the IC deciding on the arguments submitted that his position was no longer sustainable.

What I’m getting at is that the IC doesn’t always get things right in the first instance; therefore, a right of appeal to an independent fact-finding tribunal is a valuable one for applicants. I think it is something we should be proud of, and we should feel sorry for FOI applicants in Scotland who are forced into court litigation (and proving an error of law) in order to challenge a decision there.

Ultimately, the clue to Graham’s disapproval of the right of appeal to Tribunal lies in the words “limited resources”. I do sympathise with his position – FOI regulation is massively underfunded by the government, and I rather suspect that, with better resourcing, Graham would take a different view. But I think his speech was particularly concerning because the issue of whether there should be a fee for bringing a case in the Tribunal was previously raised by the government, in its response to post-legislative scrutiny of FOIA. Things have gone rather quiet on this since, but might Graham’s speech herald the revival of such proposals?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The Hackney Gazette reports that details of 15,000 residents have been published on the internet after Hackney Council apparently inadvertently disclosed the data when responding to a Freedom of Information (FOI) request made using the WhatDoTheyKnow site.

This is not the first time that such apparently catastrophic inadvertent disclosures have happened through WhatDoTheyKnow, and, indeed, in 2012 MySociety, who run the site, issued a statement following a similar incident with Islington Council. As that made clear

responses sent via WhatDoTheyKnow are automatically published online without any human intervention – this is the key feature that makes this site both valuable and popular

It is clearly the responsibility of the authorities in question to ensure that no hidden or exempt information is included in FOI disclosures via WhatDoTheyKnow, or indeed, in FOI disclosures in general. A failure to have appropriate organisational and technical safeguards in place can lead to enforcement action by the Information Commissioner’s Office for contraventions of the Data Protection Act 1998 (DPA): Islington ended up with a monetary penalty notice of £70,000 for their incident, which involved 2000 people. Although the number of data subjects involved is not the only factor the ICO will take into account when deciding what action to take, it is certainly a relevant one: 15000 affected individuals is a hell of a lot.

What concerns me is this sort of thing keeps happening. We don’t know the details of this incident yet, but with such large numbers of data subjects involved it seems likely that it will have involved some sort of dataset, and I would not be at all surprised if it involved purportedly masked or hidden data, such as in a pivot table [EDIT – I’m given to understand that this incident involved cached data in MS Excel]. Around the time of the Islington incident the ICO’s Head of Policy Steve Wood published a blog post drawing attention to the risks. A warning also takes the form of a small piece on a generic page about request handling, which says

take care when using pivot tables to anonymise data in a spreadsheet. The spreadsheet will usually still contain the detailed source data, even if this is hidden and not immediately visible at first glance. Consider converting the spreadsheet to a plain text format (such as CSV) if necessary.

This is fine, but does it go far enough? Last year I wrote on the Guardian web site, and called for greater efforts to be made to highlight the issue. I think that what I wrote then still holds

The ICO must work with the government to offer advice direct to chief executives and those reponsible for risk at councils and NHS bodies (and perhaps other bodies, but these two sectors are probably the highest risk ones). So far these disclosure errors do not appear to have led to harm to those individuals whose private information was compromised, but, without further action, I fear it is only a matter of time.

Time will tell whether this Hackney incident results in a finding of DPA contravention, and ICO enforcement, but in the interim I wish the word would get spread around about how to avoid disclosing hidden data in spreadsheets.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

On the second day of Xmas FOI revealed to me two turtle docs and cartridges for the army

On the third day of Xmas FOI revealed to me 3 pinched hens*, two turtle docs and cartridges for the army

On the fourth day of Xmas FOI revealed to me four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the fifth day of Christmas FOI revealed to me FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the sixth day of Christmas FOI revealed to me Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the seventh day of Christmas FOI revealed to me Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the eighth day of Christmas FOI revealed to me Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the ninth day of Christmas FOI revealed to me Nine Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the tenth day of Christmas FOI revealed to me Ten Lords-a-Judging, Nine Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the eleventh day of Christmas FOI revealed to me Eleven-plus deciding,Ten Lords-a-Judging, Nine Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

On the twelfth day of Christmas FOI revealed to me Twelve-Tonne Containers, Eleven-plus deciding,Ten Lords-a-Judging, Nine Babies’ chances, Eight-year-olds Bilking, Seven Dons-a-Sinning, Six Tree Inspections, FIVE GOLD THINGS, four NADPO nerds, 3 pinched hens, two turtle docs and cartridges for the army

In June this year I blogged about the case of AB v A Chief Constable (Rev 1) [2014] EWHC 1965 (QB). In that case, Mr Justice Cranston had held that, when determining whether personal data is being or has been processed “fairly” (pursuant to the first principle of Schedule One of the Data Protection Act 1998 (DPA))

assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure [¶75]

I was surprised by this reading in of an interests balance to the first principle, and said so in my post. Better people than I disagreed, and I certainly am even less sure now than I was of the correctness of my view.

In any case, the binding authority of the High Court rather trumps my meanderings, and it is cited in a recent decision of the First-tier Tribunal (Information Rights) in support of a ruling that the London Borough of Merton Council must disclose, under the Freedom of Information Act 2000 (FOIA), an email sent to a cabinet member of that council by Stephen Hammond MP. The Tribunal, in overturning the decision of the Information Commissioner, considered the private interests of Mr Hammond, including the fact that he had objected to the disclosure, but felt that these did not carry much weight:

we do not consider anything in the requested information to be particularly private or personal and that [sic] this substantially weakens the weight of interest in nondisclosure…We accept that Mr Hammond has objected to the disclosure, which in itself carries some weight as representing his interests. However, asides from an expectation of a general principle of non-disclosure of MP correspondence, we have not been given any reason for this. We have been given very little from the Commissioner to substantiate why Members of Parliament would have an expectation that all their correspondence in relation to official work remain confidential

and balanced against these were the public interests in disclosure, including

no authority had been given for the statement [in the ICO’s decision notice] that MPs expect that all correspondence to remain confidential…[;]…withholding of the requested information was not compatible with the principles of accountability and openness, whereby MPs should subject themselves to public scrutiny, and only withhold information when the wider public interest requires it…[;]…the particular circumstances of this case [concerning parking arrangements in the applicant’s road] made any expectation of confidentiality unreasonable and strongly indicated that disclosure would be fair

The arguments weighed, said the Tribunal, strongly in favour of disclosure.

A further point fell to be considered, however: for processing of personal data to be fair and lawful (per the first data protection principle) there must be met, beyond any general considerations, a condition in Schedule Two DPA. The relevant one, condition 6(1) requires that

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject

It has to be noted that “necessary” here in the DPA imports a human rights proportionality test and it “is not synonymous with ‘indispensable’…[but] it implies the existence of a ‘pressing social need'” (The Sunday Times v United Kingdom(1979) 2 EHRR 245). The Tribunal, in what effectively was a reiteration of the arguments about general “fairness”, accepted that the condition would be met in this case, citing the applicant’s arguments, which included the fact that

disclosure is necessary to meet the public interest in making public what Mr Hammond has said to the Council on the subject of parking in Wimbledon Village, and that as an elected MP, accountable to his constituents, disclosure of such correspondence cannot constitute unwarranted prejudice to his interests.

With the exception of certain names within the requested information, the Tribunal ordered disclosure. Assessing “fairness” now, following Mr Justice Cranston, and not following me, clearly does involve balancing the interests of the data subject against the public interest in disclosure.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The Brighouse Echo reveals that Stephen Baines (no relation, of course), the Leader of Calderdale Council, resorted to submitting a Freedom of Information (FOI) request in exasperation, after apparently failing to get answers from officers at the Council

I asked officers on November 10 if there was there was any truth in these allegations [about officers ignoring warnings about the legality of a parking scheme], and I hadn’t received a reply, and last Friday I’d had enough – I finally lost it and put in a Freedom of Information request. It’s highly probable that I’m the first council leader to have done this, but I was just getting so frustrated.

But did he need to make an FOI request? In fact, could he even make an FOI request?

I would say that it is strongly arguable that in a council operating executive arrangements – as Calderdale does – under part 9C(3) of the Local Government Act 2000 (LGA 2000), whereby a Leader with a Leader-appointed Cabinet constitute the executive, the executive are deemed generally to be in control of information relating to the council’s functions. So in general terms, the Leader and Cabinet are “the Council”. Section 9D(3) of LGA 2000 provides that “any function of the local authority which is not specified in regulations…is to be the responsibility of an executive of the authority under executive arrangements” (the regulations in question are The Local Authorities (Functions and Responsibilities) (England) Regulations 2000 (as amended). Put another way, the executive are the ones who should take any decision on access to documents, rather than officers (other than officers who have had that decision delegated to them). The exceptions to this general principle would be where the documents relate to functions which are not the responsibility of the executive. Effectively, the executive will be the possessors/controllers of all council information for which the executive has the functional responsibility.

I feel bolstered in this suggestion by Part 5 of The Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012. This gives “Additional rights of [access of] members of the local authority and of members of overview and scrutiny committees” and sections 16 and 17 talk in terms of the right of a member, or a member of an overview and scrutiny committee, to inspect certain documents which are “in the possession or under the control of the executive of a local authority”. No interpretative guide is given to what “in the possession or under the control of the executive of a local authority” means, but it is clear that there must be a category of documents which are “in the possession or under the control of the executive of a local authority”. That being the case, one might ask “which documents are not ‘in the possession or under the control of the executive of a local authority’?” To which I am tempted to answer “those which do not relate to the functions for which the executive has responsibility”.

So, if it is, for instance, a function of a local authority to provide library services (section 7 of the Public Libraries and Museums Act 1964). This function is the responsibility of the executive (because regulations do not specify otherwise). Delivery of the function will normally be by delegation to officers, but I cannot see how those officers, or others, could then restrict a member of the executive from seeing a document relating to the exercise of executive functions. And if, as I understand is the case, civil enforcement of parking contraventions is also an executive functions (surely delegated to officers) one wonders also if officers can restrict a Leader from seeing a document relating to the exercise of that specific function.

So, my argument goes, a leader of a council cannot make an FOI request to the council for information about the exercise of an executive functions, because in that regard he is the council. Comments welcomed!

And n.b. I have not even begun to consider where a councillor’s, or a leader’s, common law right to know fits in to this…

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Campaigning group Big Brother Watch have released a report entitled “NHS Data Breaches”. It purports to show the extent of such “breaches” within the NHS. However it fails properly to define its terms, and uses very questionable methodology. I think, most worryingly, this sort of flawed research could lead to a reluctance on the part of public sector data controllers to monitor and record data security incidents.

As I checked my news alerts over a mug of contemplative coffee last Friday morning, the first thing I noticed was an odd story from a Bedfordshire news outlet:

Bedford Hospital gets clean bill of health in new data protection breach report, unlike neighbouring counties…From 2011 to 2014 the hospital did not breach the data protection act once, unlike neighbours Northampton where the mental health facility recorded 346 breaches, and Cambridge University Hospitals which registered 535 (the third worst in the country).

Elsewhere I saw that one NHS Trust had apparently breached data protection law 869 times in the same period, but many others, like Bedford Hospital had not done so once. What was going on – are some NHS Trusts so much worse in terms of legal compliance than others? Are some staffed by people unaware and unconcerned about patient confidentiality? No. What was going on was that campaigning group Big Brother Watch had released a report with flawed methodology, a misrepresentation of the law and flawed conclusions, which I fear could actually lead to poorer data protection compliance in the future.

I have written before about the need for clear terminology when discussing data protection compliance, and of the confusion which can be caused by sloppiness. The data protection world is very found of the word “breach”, or “data breach”, and it can be a useful term to describe a data security incident involving compromise or potential compromise of personal data, but the confusion arises because it can also be used to describe, or assumed to apply to, a breach of the law, a breach of the Data Protection Act 1998 (DPA). But a data security incident is not necessarily a breach of a legal obligation in the DPA: the seventh data protection principle in Schedule One requires that

Appropriate technical and organisational measures shall be taken [by a data controller] against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

And section 4(4) of the DPA obliges a data controller to comply with the Schedule One data protection principles. This means that when appropriate technical and organisational measures are taken but unauthorised or unlawful processing, or accidental loss or destruction of, or damage to, personal data nonetheless occurs, the data controller is not in breach of its obligations (at least under the seventh principle). This distinction between a data security incident, and a breach, or contravention, of legal obligations, is one that the Information Commissioner’s Office (ICO) itself has sometimes failed to appreciate (as the First-tier Tribunal found in the Scottish Borders Council case EA/2012/0212). Confusion only increases when one takes into account that under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which are closely related to the DPA, and which deal with data security in – broadly – the telecoms arena, there is an actual legislative provision (regulation 2, as amended) which talks in terms of a “personal data breach”, which is

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

and regulation 5A obliges a relevant data controller to inform the ICO when there has been a “personal data breach”. It is important to note, however, that a “personal data breach” under PECR will not be a breach, or contravention, of the seventh DPA data protection principle, provided the data controller took appropriate technical and organisational to safeguard the data.

Things get even more complex when one bears in mind that the draft European General Data Protection Regulation proposes a similar approach as PECR, and defines a “personal data breach” in similar terms as above (simply removing the words “in connection with the provision of a public electronic communications service“).

Notwithstanding this, the Big Brother Watch report is entitled “NHS Data Breaches”, so one would hope that it would have been clear about its own terms. It has led to a lot of coverage, with media outlets picking up on headline-grabbing claims of “7225 breaches” in the NHS between 2011 and 2014, which is the equivalent to “6 breaches a day”. But when one looks at the methodology used, serious questions are raised about the research. It used Freedom of Information requests to all NHS Trusts and Bodies, and the actual request was in the following terms

1. The number of a) medical personnel and b) non-medical personnel that have been convicted for breaches of the Data Protection Act.

2. The number of a) medical personnel and b) non-medical personnel that have had their employment terminated for breaches of the Data Protection Act.

3. The number of a) medical personnel and b) non-medical personnel that have been disciplined internally but have not been prosecuted for breaches of the Data Protection Act.

4. The number of a) medical personnel and b) non-medical personnel that have resigned during disciplinary procedures.

5. The number of instances where a breach has not led to any disciplinary action.

The first thing to note is that, in broad terms, the only way that an individual NHS employee can “breach the Data Protection Act” is by committing a criminal offence under section 55 of unlawfully obtaining personal data without the consent of the (employer) data controller. All the other relevant legal obligations under the DPA are ones attaching to the NHS body itself, as data controller. Thus, by section 4(4) the NHS body has an obligation to comply with the data protection principles in Schedule One of the DPA, not individual employees. And so, except in the most serious of cases, where an employee acts without the consent of the employer to unlawfully obtain personal data, individual employees, whether medical or non-medical personnel, cannot as a matter of law “breach the Data Protection Act”.

One might argue that it is easy to infer that what Big Brother Watch meant to ask for was information about the number of times when actions of individual employees meant that their employer NHS body had breached its obligations under the DPA, and, yes, that it probably what was meant, but the incorrect terms and lack of clarity vitiated the purported research from the start. This is because NHS bodies have to comply with the NHS/Department of Health Information Governance Toolkit. This toolkit actually requires NHS bodies to record serious data security incidents even where those incidents did not, in fact, constitute a breach of the body’s obligations under the DPA (i.e. incidents might be recorded which were “near misses” or which did not constitute a failure of the obligation to comply with the seventh, data security, principle).

The results Big Brother Watch got in response to their ambiguous and inaccurately termed FOI request show that some NHS bodies clearly interpreted it expansively, to encompass all data security incidents, while others – those with zero returns in any of the fields, for instance – clearly interpreted it restrictively. In fact, in at least one case an NHS Trust highlighted that its return included “near misses”, but these were still categorised by Big Brother Watch as “breaches”.

And this is not unimportant: data security and data protection are of immense importance in the NHS, which has to handle huge amounts of highly sensitive personal data, often under challenging circumstances. Awful contraventions of the DPA do occur, but so too do individual and unavoidable instances of human error. The best data controllers will record and act on the latter, even though they don’t give rise to liability under the DPA, and they should be applauded for doing so. Naming and shaming NHS bodies on the basis of such flawed research methodology might well achieve Big Brother Watch’s aim of publicising its call for greater sanctions for criminal offences, but I worry that it might lead to some data controllers being wary of recording incidents, for fear that they will be disclosed and misinterpreted in the pursuit of questionable research.